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(57) Abstract: Secure communication is provided for entities 
in one or more networks. It is determined whether security 
measures needed for the communication exist between 
the entities. If such measures do not exist, the security 
measures are established, and the communication is initiated. 
The security measures include security bindings including 
information needed for the secure communication. Security 
measures are established between entities in one or more 
networks based on predetermined security requirements and 
on a determined needed security level. The security level 
needed may be determined based on whether the entities 
are in the same network or in different networks and/or on 
the information being transmitted. Security bindings are 
established between the entities depending on the information 
to be transmitted and/or the network to which the entities 
belong. The security bindings include information identifying 
the security binding, encryption information, authentication 
information, integrity information, a list of addressees or 
group of addressees included in the security bindings, and/or 
information regarding the lifetime of the security bindings. 
The encryption, authentication, and integrity may be specified 
at a parameter level. 
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METHOD AND APPARATUS FOR SECURE COMMUNICATION 

BACKGROUND 

This invention relates generally to a method and apparatus for secure 
communication. More specifically, this invention relates to a method and apparatus for 
secure communication between entities in the same or in different communication 
networks. 

There are many types of public land mobile networks, e.g., a Global System for 
Mobile Communications (GSM), a Digital Cellular System for Mobile Communications 
(DCS 1800), a Personal Communication System (PCS), and a Universal Mobile 
Telecommunication System (UMTS). These networks provide a wide range of services 
and facilities to mobile subscribers that are roaming around between individual cells of 
the mobile radio communication networks. An exemplary network architecture for 
mobile radio communication systems such as those is shown in FIG. 1 . 

A typical network includes at least one Home Location Register (HLR) 1 00 for 
storing information about subscribers to the network, a Visitor Location Register (VLR) 
1 10 for storing information about subscribers to other networks that may be roaming in 
the network, a Mobile Services Switching Center (MSC) 120 for performing switching 
functions for the mobile stations, a Gateway MSC (GMSC) 130 for routing incoming 
calls to the PLMN to the appropriate MSC, and an SMS Gateway MSC (SMSGMSC) 
140 which is an interface between the mobile network and a network providing access to 
the short message service center for delivery of short messages to the mobile stations via 
a Switching Center (SC) 150. A Base Station Controller (BSC) 160 and a Base 
Transceiver Station (BTS) 1 70 are part of the base station system equipment for 
connecting the network to a mobile station 180. An Equipment Identity Register (EIR) 
190 handles management of the equipment identities of the mobile stations. 

As shown in FIG. 1, other entities may be connected to the network. For example, 
a Switching Network 210 may be connected to the network via the GMSC 130, a Packet 
Network 220 may be connected to the network via a General Packet Radio Service 
Support Node (GSN) 200, and another PLMN 230 may be connected to another GMSC 
130. A Fraud Detection System (FDS) 240 may be connected to several types of entities 
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in the network, e.g., the HLR 100 and another MSC 120, from which it obtains 
information for specific subscribers. The information collected may include information 
regarding the charging data records generated, e.g., at the MSCs, the location information 
of the subscribers, which is generally generated at the HLR, and information regarding 
5 the activity generated in real time (such as the number of call forwarding registrations 
performed in a period of time, the number of parallel calls made in that time, etc.). The 
FDS 240 discovers possible fraud risk situations. For example, the FDS 240 detects 
when a subscriber suddenly has a really high charging record that has previously never 
occurred. As another example, the FDS 240 detects when a subscriber generates several 

1 0 parallel calls to certain countries, which might indicate call selling activities. As a third 
example, the FDS 240 detects when a subscriber is located in two different distant places 
within a very short interval of time, which may indicate cloning activities. 

The entities of the PLMN communicate via a common signalling system. For 
example, in the GSM System, the Mobile Application Part (MAP) of the Signaling 

1 5 System No. 7 specified by CCITT is used to communicate between entities in the PLMN. 
Details of this signalling system are given in Digital Cellular Telecommunications 
System (Phase 2+), Mobile Application Part (MAP) specification, TS GSM 09.02 
v.5.6.00, which is incorporated herein by reference. 

Based on roaming agreements between mobile network operators, the mobile 

20 subscribers belonging to a specific PLMN 250, referred to as a Home PLMN (HPLMN), 
can make use of their services and facilities while roaming in another PLMN network 
260, referred as a Visitor PLMN (VPLMN). FIG. 2 shows an exemplary configuration of 
a network architecture for a roaming scenario. Similar to FIG. 1, a FDS 240 is connected 
to entities such as the HLR 100 and the MSCs 120. 

25 With the continuos growth of network elements, transmission media, etc., more 

refined fraud methods have been developed. Such methods involve attacks on the 
signalling system. Using GSM as an example, the security of the global SS7 network as a 
transport system for sensitive signalling messages is open to major compromise. 
Messages can be eavesdropped, altered, injected or deleted in an uncontrolled medium. 

30 confidential information has recently been added in the GSM standards to the signalling 
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protocols which will increase the confidentiality risk due to the lack of confidentiality in 
the signalling media. Such confidential information includes, e.g., location information 
based on geographical coordinates, charging information, etc. These risks will further be 
increased by the possible future use of open signalling protocols for signalling 
5 transmission, e.g., Transmission Control Protocol/Internet Protocol (TCP/IP). While the 
current GSM specification provides for authentication of mobile subscriber identities, 
there is no authentication of network entities defined in GSM. Some restriction policies 
exist, but there is no mechanism for assuring that the identity information has not been 
manipulated. 

1° There is a need for a method for transmitting certain confidential information 

through mobile communication networks protected from attacks performed by accessing 
the signalling network. User confidentiality can be attacked by accessing certain 
information included in signalling messages. This information relates mainly to the 
origin/destination of the calls and location of the subscriber. Other attacks to the network 

1 5 operation may occur by impersonating a network node or network entity. The main 
threats faced from subscriber impersonation are the manipulation of answers to 
authentication procedures and the eavesdropping of authentication information. Such 
impersonation permits access to confidential information and may even result in a change 
to specific service behavior (e.g., Customized Applications for Mobile Network 

20 Enhanced Logic (CAMEL) charge services, location services, Supplementary Services 
(SS) procedures, redundancy, etc.), which may result in fraud and/or affect the network 
behavior. 

The service availability can be compromised at the user level, based on 
manipulation of subscription information or messages granting the service. The service 
25 availability can also be compromised at the network level, by deletion of resource 

liberation related messages, e.g., deletion of a message indicating a subscriber's location, 
or by overloading the network through message injection. 

There is thus a need for authenticating an originating node or network entity in 
order to initiate confidential communications between entities in one or more networks. 
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SUMMARY 

It is therefore an object of the present invention to provide a technique for secure 
communication. It is yet another object of the present invention to provide a technique 
for authenticating network entities for confidential communications. 
5 According to an exemplary embodiment of the present invention, these and other 

objects are met by a method and apparatus for secure communication between entities in 
one or more networks. A determination is made whether security measures needed for 
the communication exist between the entities. If such measures do not exist, the security 
measures are established, and the communication is initiated. The security measures 

1 0 include security bindings including information needed for the secure communication. 
Security measures are established between entities in one or more networks based on 
predetermined security requirements and on a determined needed security level. The 
security level needed may be determined based on whether the entities are in the same 
network or in different networks and/or on the information being transmitted. Security 

1 5 bindings are established between the entities depending on the information to be 

transmitted and/or the network to which the entities belong. The security bindings include 
information identifying the security binding, encryption information, authentication 
information, integrity information, a list of addresses or group of addressees included in 
the security bindings, and/or information regarding the lifetime of the security bindings. 

20 The encryption, authentication, and integrity may be specified at a parameter level. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The features, objects, and advantages of the invention will become apparent by 
reading this description in conjunction with the accompanying drawings, in which like 
25 reference numerals refer to like elements and in which: 

FIG. 1 illustrates an exemplary network architecture for mobile radio 
communication systems; 

FIG. 2 illustrates an exemplary network architecture for a roaming scenario; 
FIG. 3 illustrates a key life cycle; 
30 FIG. 4 illustrates a system for secure communication according to an exemplary 
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embodiment; 

FIG. 5 A illustrates a message sequence for the transmission of key management 
information; 

FIG. 5B illustrates a detailed example of a process for establishing a security 
binding; 

FIG. 6 illustrates a message sequence for the transmission of encrypted 
information; 

FIG. 7 illustrates an entity procedure for transmitting encrypted information; 
FIG. 8 illustrates a message sequence for the transmission of authentication 
information; and 

FIG. 9 illustrates a message sequence for the transmission of integrity information. 

DETAILED DESCRIPTION 

A general premise of any security analysis is that the weakest point in the security 
chain may compromise the complete security system. In a signalling system, the chain 
comprises a number of signalling protocols, such as Integrated Services Digital Network 
(ISDN) User Part (ISUP), Data Transfer Application Part (DTAP), Base Station System 
Application Part (BSSAP), GPRS Transfer Protocol (GTP), CAMEL Application Part 
(CAP), Intelligent Network Application Protocol (INAP), etc. For illustrative purposes, 
the following discussion is directed towards the Translation Capability Application Part 
(TCAP) and Mobile Application Part (MAP) protocols. However, it will be appreciated 
that the invention is not limited to applications using these protocols, but may be 
applicable to other protocols. 

According to an exemplary embodiment, security may be managed using one or 
more of four mechanisms: data encryption, authentication, integrity, and key 
management. Data encryption is used to assure confidentiality of transmitted 
information, authentication is used to assure that the messages received from a certain 
entity have not been injected or replayed by intruders, integrity is used to assure that the 
information has not been manipulated, and key management is used to manage the 
encryption, authentication, and integrity mechanisms. The key management mechanism 
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allows flexible handling of keys upon which the encryption and authentication 
mechanisms are based. 

There are various considerations to be taken into account when considering how to 
apply these mechanisms. For example, backward compatibility when communicating 
with entities not supporting the signalling security mechanism should be maintained. 
Also, forward compatibility should be made possible, allowing adaptation to further needs 
and emerging technologies (e.g., new encryption algorithms, future transmission of 
sensitive information, etc.). The impact of the security mechanisms on network 
performance should be minimized. The number of entities in the network with high 
security requirements should also be minimized. Handling of roaming scenarios should 
be made simple. High granularity in the application of the security mechanisms at the 
network, entity, procedure and subscriber levels should be provided, such that different 
security levels can coexist. 

According to exemplary embodiments, all of the mechanisms do not have to be 
applied. For example, if the information contained in a message is considered important 
by itself, this implies that in some cases it may be desirable only to apply data encryption 
(to avoid eavesdropping) or only to apply data integrity (to avoid manipulation), 
independently of the other requirements. Thus, according to exemplary embodiments, the 
mechanisms are as independent as possible in order to allow the independent application 
of the mechanisms and to simplify the adaptation of the mechanisms to emerging 
technologies. 

According to an exemplary embodiment, a key management system is proposed, 
and the encryption and authentication mechanisms take advantage of it in order to 
simplify the complete procedure. Since key management is commonly used by the other 
mechanisms, the key management mechanism will be described first. 

KEY MANAGEMENT 

Key management is the administration and use of the services of generation, 
registration, certification, de-registration, distribution, installation, storage, archiving, 
revocation, derivation and destruction of keying material. The objective of key 
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management is the secure administration and use of these key management services. 

The protection of keys is extremely important. The appropriate protection of 
keys depends on the threats they face. Problems that arise in key distribution are the 
number of entities involved in the communication and the nature of them. Since mobile 

5 networks such as the GSM/UMTS network allow roaming, there is communication 
between several entities out of the operator security domain. On the other hand, each 
operator may need to have complete control over the security in the entities. 

Security bindings between entities indicate the allowed communication between 
entities and the characteristics of the encryption, authentication, and integrity mechanisms 

1 0 used and specific characteristics of the corresponding binding. According to an 

exemplary embodiment, the security bindings include information such as a binding 
identity, which uniquely identifies the security binding, encryption, which specifies the 
parameters to be encrypted, the algorithms applicable (e.g., BEANO) and the session key 
used, authentication, which refers to messaging requiring authentication, the 

1 5 authentication system applicable and the key used, integrity, which refers to messages 
requiring integrity and the integrity system applicable, lifetime, which is the time during 
which the security binding is considered applicable, and destinations, which includes a 
list of addresses or group of addresses (e.g., MSISDN series) included in the security 
binding. 

20 Using a common Signalling System between entities will originate a huge amount 

of possible messages using a certain key, which allow attacks based on massive 
information. This can be avoided by the use of very strong authentication mechanisms 
which usually are based on large keys and block sizes, implying an undesirable impact in 
the system performance. 

25 The problem of attacks based on massive information can be avoided by frequent 

key changes. Thus, according to an exemplary embodiment, session keys, which only 
remain valid for a particular communication session, may be used. 

A session key is only made valid during a prescribed period. Thus, the keys are 
temporary and subject to modification after the prescribed period. A life cycle is 

30 therefore associated with each key. A typical life cycle of a key is illustrated in FIG. 3. 
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The life cycle includes three principal states: pending active, active, and post 
active. When a key is generated, it enters the pending active state 300. In the pending 
active state 300, a key has been generated, but has not been activated for use. The key 
remains in the pending active state until it is either destroyed or activated for 
cryptographic operations. Upon activation, the key enters the active state 310. In the 
active state 310, the key is used to process information cryptographically. The key 
remains in the active state until it is deactivated, which limits a key's use, e.g., because 
the key has expired or has been revoked. Upon deactivation, the key has limited use and 
enters the post active state 320. In the post active state 320, the key is only used for 
decipherment or verification. The key remains in the post active state until it is either 
destroyed or is reactivated. Reactivation allows a post-active key to be used again for 
cryptographic operations, at which point it returns to the active state 310. 

The number of entities exponentially increases the need for security bindings 
between cooperating entities. If the security bindings between the entities are 
independent for each communicating pair, this will negatively impact processing and 
performance. But, if the same key is shared in several security bindings, the probability 
of breaking it increases, which may result in a breakdown of the entire security system. 

To address this problem, the number of entities that shall be authenticated by 
parties outside the operator security domain should be minimized. Therefore, according 
to exemplary embodiment, only a few entities in each network are authenticated by 
Trusted Third Party (TTP) systems. 

According to an exemplary embodiment, the functionality of key handling in the 
operator domain may be based on an existing Authentication Center (AuC). The AuC 
contains information for authenticating subscribers at the attachment phase to the network 
of the mobile terminals, e.g., when the subscribers switch on the mobile terminals, and the 
mobile attach to the network. This is advantageous because the AuC already has strong 
security requirements that may be used for this application. In addition, in the GSM 
system, AuCs handle MAP protocol that can be easily used for communicating entities 
such as a VLR, MSC, and HLR, etc., to handle key distribution. 

An exemplary basic key management architecture showing the security bindings 
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between network entities is shown in FIG. 4. There are three different security levels: 
Inter PLMN level, Intra PLMN level, and Session level. 

The Inter PLMN level is used for establishing security bindings between entities 
belonging to different PLMNs. For example, as shown in FIG. 4, security bindings are 

5 established between the TTP and the AuC A of Network A, and between the TTP and the 
AuC B of Network B. These security bindings are established based on predetermined 
security requirements, e.g., based on either bilateral agreements between PLMN 
operators or by trusting in an external co-operation or entity acting as a TTP, i.e., an 
entity used to authenticate other entities. These security bindings have strong security 

10 requirements and the specific mechanism used should be enough flexible to allow state of 
the art techniques. The TTP may be integrated with other systems outside the network. 
Nevertheless, a default mechanism should be supported to provide this security bindings 
in a multivendor environment. 

According to an exemplary embodiment, the Intra PLMN level is used for 

15 establishing security bindings between entities belonging to the same PLMN. At the Intra 
PLMN level, one or more AuC entities (with security bindings established) act as a TTP 
for the entities in the PLMN. For example, as shown in FIG. 4, a security binding exists 
between AuC A and AuC B These security bindings may be established at the operator 
premises, to allow the establishment of different standard and customized security 

20 schemes. Nevertheless, some standard mechanisms should be supported to provide the 
security bindings in a multivendor environment. 

The Session level is used for establishing security bindings between 
communicating entities. The session established will be handled through the AuC (or 
AuCs) assigned to the entities. Each entity trusts in its corresponding AuC. For example, 

25 as shown in FIG. 4, Network Entities in Network A, NE A , are connected to the AuC A via 
security bindings. Similarly, Network Entities in Network B, NE B , are connected to 
AuC B by security bindings. Also, the Network Entities NE A and NE B are connected to 
each other via security bindings. Although one AuC is shown for each network in FIG. 4 
for simplicity of illustration, it will be appreciated that more than one AuC may be 

30 employed in each network and that more than one AuC may be assigned to each entity in 
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the network. 

At the Session level, there are two types of communication possible, depending on 
the type of communication (Inter PLMN or Intra PLMN). If the communication is Inter 
PLMN, i.e., between entities in different networks, the selected.identification mechanism 
should allow the establishment of different standard security schemas. If the 
communication is Intra PLMN, i.e., between entities within the same network, the 
selected mechanism should allow the establishment of different standard and customized 
security schemas. Nevertheless, some standard mechanisms should be supported to 
provide the security bindings in a multi vendor environment. 

So, the selected mechanism should allow the establishment of different standard 
and customized security schemas. According to an exemplary embodiment, the security 
bindings may be based in MAP protocol. 

As a consequence of installation, each entity will have enough information to 
contact the AuC responsible for its signal security. Security bindings to different levels 
will be established, first to the Intra HPLMN level and then to the Session level. 

The sequence shown in FIG. 5A illustrates an exemplary message flow for 
transmission of key handling information. First, the Sending Entity checks whether the 
security binding has been established with the Receiving Entity or whether the security 
binding has expired. Next, the Sending Entity sends a Security Binding Request message 
to the Sending Entity AuC. The Sending Entity AuC maintains information about the 
desired security bindings for the Sending Entity, indicating for each attribute whether the 
attribute is requested or negotiable. The Sending Entity AuC sends a Security Binding 
Request message to the Receiving Entity AuC. The Receiving Entity AuC sends a 
message to the Receiving Entity, and the Receiving Entity determines which attributes it 
can handle and responds to the Receiving Entity AuC with the accepted security binding 
attributes. The Receiving Entity AuC then responds to the Sending Entity AuC with the 
accepted attributes. The Sending entity AuC sends a Security Binding Acceptance 
message to the Sending Entity, indicating acceptance of the attributes specified by the 
Receiving Entity. If the accepted attributes are considered sufficient for the 
communication, the Sending Entity responds to the Sending Entity AuC with a Security 
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Binding Acceptance acknowledgment message, and this message is forwarded to the 
Receiving Entity via the Receiving Entity AuC. 

As an alternative, the Receiving Entity AuC can determine which attributes are 
acceptable and send a Security Binding Notification Message to the Sending Entity AuC 

5 and the Receiving Entity indicating the acceptable attributes. This alternative may be 
acceptable, e.g., when the Receiving Entity AuC has information specifying which 
attributes the Receiving Entity can handle. 

According to an exemplary embodiment, the key handling messages are sent 
encrypted and authenticated, with integrity information included. 

10 FIG. 5B illustrates a detailed example of a process for establishing a security 

binding. In this figure, a method for establishing a security binding between an HLR and 
a VLR is shown as an example. The method begins with the HLR initiating a request to 
establish a security binding to the VLR. The request includes proposed algorithms, e.g., 
Alg 1 and Alg 2, and the level of security for the parameters, e.g., class 2 for 

15 authentication information and charging data, class 1 for location, and class 0 for the 

remainder of the data. The HLR address is also included. Since the security binding has 
not been established yet, there is no security binding identity included. The request is 
received by the AuC for the HLR, AuC„ and transmitted to the AuC for the VLR, AuC 2 . 
AuC 2 transmits the request to the VLR, includes a key request and assigns a security 

20 binding identity. The VLR determines which of the proposed algorithms and security 

classes it can handle and replies with an appropriate message, e.g., an acceptance message 
that indicates acceptance of Alg 2 and acceptance of the security classes. The acceptance 
message also provides the VLR address. The acceptance message is forwarded from AuC 2 
to AuC,, and AuC, transmits the acceptance message to the HLR. The HLR replies with 

25 an acceptance acknowledgment, which is transmitted to AuC,. AuC, forwards this 
message to AuC 2 , and AuC 2 transmits this message to the VLR. After the acceptance 
acknowledgment is received but he VLR, the security binding establishment is completed. 



30 



PATA ENCRYPTION 

There are many types of confidential information that may be transmitted between 
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network entities, e.g., location information, charging information and triplets, i.e., 
information elements used to authenticate subscribers, including random, figured 
response, and ciphering key. For example, this information can be identified in MAP and 
Capability Application Part (CAP) protocols in the following messages: 
Location Information 



, Parameter 


Message 


Protocols 


RESULT 

Parameter:LocationInformation 


ProvideSubscriberlnfo 
(HLR->MSC/VLR) 


MAP 

VI, V2, REL96, REL97 


RESULT 

ParametenLocationlnformation 


SendRoutinglnfo 
(HLR->GMSC) 


MAP 

REL96, REL97 


RESULT 

ParametenLocationlnformation 


Anytime interrogation 
(gsmscf ->HLR) 


MAP 
REL96 


ARGUMENT 

Parameter: LocationNumber 


Initial DP 

(gsmssf->gsmscf) 


CAP 


Table I 

Charging Information 


Parameter 


Message 


Protocols 


Result parameter 
PartyToChange 


FurnishCharginglnfo 
(SRR->SSP) 


CAP 
REL97 


RESULT 

Parameter FreeFomatData 


FurnishCharginglnfo 
(SCP->SSP) 


CAP 
REL97 



Table II 
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Triplets 





Parameter 


Message 


Protocols 




RESULT 


SendAuthenticationlnfo 


MAP 


5 


Parameter: Authentication set 


(MSC/VLR -> HLR, 


VI, V2, REL96, REL97 






VLRa -> VLRb) 





Table III 



A consequence of the examples above is that the parameters are not present in all 
the messages and that usually they are only a small part of the complete message 
10 requesting confidentiality. Another consideration is that the information used for 
addressing purposes (e.g., at the Signalling Connection Control Part (SCCP)) can be 
accessed at lower levels than MAP or CAP protocols (e.g., International Mobile 
Subscriber Identity (IMSI), Mobile Services Integrated Services Digital Network 
(MSISDN), VLR number, etc.). As a consequence, the security chain for this information 
15 is vulnerable, and it does not make sense to protect it at an Application Part level. 

Therefore, according to an exemplary embodiment, confidential information is 
encrypted at the parameter level, removing these parameters from the ClearText part and 
including them in a new Encrypted part of the MAP operation, e.g.: 

Param_l, Param_2 t Param_3, Paramjf 
20 If Param_2 and Paramjf are confidential 

ClearText (Par am J \ Param_3), Encrypted(Param_2, Par am 4) 
The sequence shown in FIG. 6 illustrates an exemplary message flow 
corresponding to the transmission of encrypted parameters. As shown in FIG. 6, the 
Sending Entity checks whether the security binding has been established with the 
25 Receiving Entity or whether the security binding has expired. If the security binding has 
not been established, or the lifetime has expired, the security binding is established, e.g., 
using the process shown in FIG 5A. Next, a message with the information is sent. The 
confidential parameters (identified by the security binding) are encrypted in the Sending 
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Entity. Then, the message with encrypted information is answered. The confidential 
parameters (identified by the security binding) are encrypted in the Receiving Entity. 

The encrypted information can be included in a new standard parameter (e.g., 
encrypted information), the content of which is completely encrypted (except tag and 
length). The encrypted information may comprise a set of standard and proprietary 
parameters including information considered sensitive which should not be transmitted 
following the normal coding. The content of this encrypted information parameter can be 
defined either on a message basis or as a common data type that can be used in all 
applicable operations including, as an option, all possible parameters that could contain 
sensitive information. This parameter can contain authentication information, integrity 
information, padding octets and all other information requested by the selected security 
mechanism. 

The selection of encrypted information may be performed in the sending entity 
according to the established security binding. FIG. 7 shows an exemplary entity 
procedure for selecting encrypted information. The process begins at step 700. At step 
710, a determination is made whether a security binding has been established with the 
Receiving Entity. If so, a determination is made whether the security binding lifetime has 
expired at step 720. If, at step 710, it is determined that the security binding has not been 
established with the Receiving Entity or at step 720 it is determined that the security 
binding lifetime has expired, a security binding establishment procedure such as that 
shown in FIG. 5A is performed at step 730. Then, a determination is made whether the 
security binding is established at step 740. If it is determined that the security binding is 
not established at step 740, the process ends at step 780. 

From a determination at step 790 that the security binding lifetime has not expired 
or a determination at step 740 that the security binding has been established, the method 
proceeds to step 750 at which clear text parameters are prepared. At step 760, encrypted 
parameters are prepared. At step 770, the message is sent, and at step 780, the process 
ends. 
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ENTITY AUTHENTICATION 



Some operations may cause undesired behavior in the network when injected by 
impersonating trusted entities. In principle, all operations may be used for illegal 
purposes. Some examples are given in Table IV: 



Message 


Effect 


Protocols 


Update location 

• 

(VLR->HLR) 


Allow originating services to 
unregistered subscribers 


MAP 


ProvideSubscriberlnfo 
(HLR->MSC/VLR) 


Allow unallowed terminating 
calls 


MAP 


InsertSubscriberData 
(HLR->VLR) 


Allow services not provided to 
the subscriber 

Allow arming CAMEL TAPS 


MAP 


Interrogates S 
(HLR->VLR) 


Request subscriber information 


MAP 


Anytime interrogation 
(gsmscf->HLR) 


Request subscriber information 


MAP 


Initial DP 
(gsmssf-> gsmscf) 


Its interception allows overcome 
possible controls 


CAP 



Table IV 



As can been seen from the examples above, different messages may affect 
network behavior differently. Thus, as a consequence, not all entities have the same 
authentication requirements. Also, depending on the operation, the sending or receiving 
entity may request authentication (e.g., in a Location Updating (LU) operation, the 
receiving may request authentication, while in an Insert Subscriber Data (ISD) operation, 
the sending entity may request authentication, etc.). Another consideration, as noted 
above with regard to encryption, is that the information used for addressing purposes 
(e.g., at the SCCP) can be accessed at lower levels than MAP or CAP protocols (e.g., 
IMSL MSISDN, VLR number, etc.) and changed. As a consequence, is does not make 
sense to protect this information at an Application Part level. 
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According to an exemplary embodiment, entity authentication is applied on a per 
entity basis, only to selected operations. A new Authenticator parameter may be included 
in the new Encrypted part of the MAP operations, e.g.: 

ParamJ, Paramjl 
If the sending entity is to be authenticated: 
ClearText(Param_l, ParamJZ), Encrypted(Authenticator) 

There are various types of authentication used between entities. 

For example, in type 1 authentication, the sending entity uses the key for the 
domain so the confidentiality and authenticity will be based on the security of the keys. 
This allows implicit authentication. Explicit authentication can be done if digital 
signatures are included in the messages as new parameters. 

In type 2 authentication, explicit authentication is possible when key exchange is 
initiated. When the key agreement is established, the certificate can be provided from the 
TTP to the sending entity. This allows the sending entity to send the certificate to the 
receiving entity. Assuming the key is secure, during the active period of the key, only the 
sending entity will be able to send encrypted information to receiving entity using that 
session key. A certificate in this case may be Kn2[Ksnln2, ID(Nl),T,LKsnln2]. 
Assuming the key is secure during the active period of the key, implicit authentication 
occurs. 

When data is transferred, explicit authentication is possible as well, for example 
using digital signatures. For example, the message will generate a message digest using a 
hash function and then apply a digital algorithm to the digest. 

Type 3 authentication is the same as type 2 authentication, and a certificate in this 
casemaybeeKsn2[eKpn2[Ksnln2,ID(Nl),T, Lks]//TVP]). Explicit signature is 
possible, as well. 

The sequence shown in FIG. 8 illustrates the message flow for the transmission of 
authentication information. First, the Sending Entity checks whether the security binding 
has been established with the receiving entity or if it has expired. If the security binding 
has not been established, or the lifetime has expired, the security binding is established, 
e.g., using the process shown in FIG. 5A. Next, a message with Authentication 
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information is sent. Then, the Authentication parameter (identified by the security 
binding) is encrypted in the Sending Entity. A Message with Authentication information 
is answered. The Authentication parameter (identified by the security binding) is 
encrypted in the Receiving Entity. 
5 The Authentication Information can be included in a new standard parameter (e.g., 

entity Authenticationinformation) into the encrypted Information parameter described 
above. The Authentication Information may be included in a container including the 
digital signature according to the security binding established between the communicating 
entities. 

10 Although not shown, an entity procedure similar to that shown in FIG. 7 may be 

performed for transmission of authentication information. 

DATA INTEGRITY 

According to an exemplary embodiment, the integrity of the information is 
1 5 assured by including Integrity Information in the Encrypted part of the MAP operation 
calculated based in the message content and other potential information (e.g. TVP, time 
stamp, sequence number, etc.), e.g.: 

Paraml, Param_2 
If the message integrity is to be assured: 
20 ClearText(ParamJ, ParamJ2), Encrypted(Integrity) 

The sequence shown in FIG. 9 illustrates the message flow corresponding to the 
transmission of Integrity Information. First, the Sending Entity checks whether the 
security binding has been established with the receiving entity or if it has expired. If the 
security binding has not been established or the lifetime has expired, the security binding 
25 is established, e.g., using the process shown in FIG. 5A. Next, a Message with Integrity 
information is sent. The Integrity parameter (identified by the security binding) is 
calculated as a function of the message content and encrypted in the Sending Entity. 
Then, a Message with Integrity information is answered. The Integrity parameter 
(identified by the security binding) is encrypted in the Receiving Entity. 
30 The integrity information can be included in a new standard parameter (e.g., 
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integrity information) into the encrypted information parameter as described above. 

Although not shown, an entity procedure similar to that shown in FIG. 7 may be 
performed for transmission of integrity information. 

According to exemplary embodiments, mechanisms for authentication, 
encryption, integrity and key handling are provided for insuring secure communications. 
Operations from non-authenticated nodes can be restricted. Backward compatibility is 
maintained, and forward compatibility is assured. The transmission mechanism is 
independent of the key handling and ciphering method. The Overhead related to 
encryption/decryption is only added to security sensitive messages, parameters and notes. 

Although described with reference to security management in a GSM system using 
CCITT No. 7 signalling and CAP and MAP protocols, it will be appreciated by those of 
ordinary skill in the art that this invention can be embodied in other specific forms 
without departing from its essential character. For example, the principle of security 
management described above may be applicable to other types of signalling protocols 
and/or other types of communication systems. The embodiments described above should 
therefore be considered in all respects to be illustrative and not restrictive. 



WO 00/74345 PCT/SE00/0 1 093 

-19- 

WE CLAIM: 

1 . An apparatus for providing secure communication between entities in one 
or more communication networks, comprising: 

5 means for determining whether security measures needed for the 

communication exist between the entities; 

if such measures do not exist, means for establishing security measures; 

and 

means for establishing communication between the entities when the 
1 0 security measures have been established. 

2. The apparatus of claim 1 , wherein the security measures comprise security 
bindings including information needed for the secure communication. 

15 3. The apparatus of claim 1 , wherein the means for determining includes 

means for determining a security level needed for the communication, and the means for 
establishing includes means for requesting the security level and means for establishing 
security measures in response to the requested security level and based on predetermined 
security requirements. 

20 

4. The apparatus of claim 1 , wherein the means for establishing security 
measures establishes security between entities in one or more networks based on 
predetermined security requirements. 

25 5. The apparatus of claim 1 , whether means for establishing security 

measures establishes the requested security between the entities communicating by 
establishing security bindings between at least the communicating entities depending on 
the information to be transmitted and/or the network to which the entities belong. 



30 
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6. The apparatus of claim 2, wherein the security bindings include 
information identifying the security binding. 

7. The apparatus of claim 1 , wherein the security measures include 
5 encryption. 



8. The apparatus of claim 2, wherein the security bindings include encryption 
information. 



10 9 - The apparatus of claim 7, wherein encryption is specified at a parameter 

level. 



10. The apparatus of claim 1, wherein the security measures include 
authentication. 

15 

1 1 . The apparatus of claim 2, wherein the security bindings include 
authentication information. 



12. The apparatus of claim 10, wherein authentication is specified at a 
20 parameter level. 

13. The apparatus of claim 1, wherein the security measures include integrity. 

14. The apparatus of claim 2, wherein the security bindings include integrity 
25 information. 



1 5. The apparatus of claim 1 3, wherein integrity is specified at a parameter 

level. 



1 6. The apparatus of claim 2, wherein the security bindings include a list of 
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addressees or group of addressees included in the security bindings. 

1 7. The apparatus of claim 1 , wherein the means for determining determines 
whether the lifetime of the security measures has expired. 

1 8. The apparatus of claim 2, wherein the security bindings include 
information regarding the lifetime of the security bindings. 

19. The apparatus of claim 3, wherein the determining means determines 
whether the communication is between entities in the same network or between entities in 
different networks and requests a security level based on this determination. 

20. A method for secure communication between entities in one or more 
communication networks, comprising the steps of: 

determining whether security measures needed for the communication 
exist between the entities; 

if such measures do not exist, establishing the security measures; and 
establishing communication when the security measures are established. 

2 1 . The method of claim 20, wherein the step of establishing the security 
measures includes establishing security bindings between the entities. 

22. The method of claim 20, wherein the step of determining includes 
determining a security level needed for communication, and the step of establishing 
includes requesting the security level and establishing security measures in response to 
the requested security level and based on predetermined security requirements. 

23. The method of claim 20, wherein the step of establishing security 
measures includes establishing security measures between entities in one or more network 
based on predetermined requirements. 
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24. The method of claim 20, whether the step of establishing security 
measures includes establishes the security measures between the entities communicating 
by establishing security bindings between at least the communicating entities depending 

5 on the information to be transmitted and/or the network to which the entities belong. 

25. The method of claim 21, wherein the security bindings include 
information identifying the security binding. 

10 26. The method of claim 20, wherein the security measures include 

encryption. 



27. The method of claim 21 , wherein the security bindings include encryption 
information. 

15 

28. The method of claim 26, wherein encryption is specified at a 
parameter level. 



29. The method of claim 20, wherein the security measures include 
20 authentication. 



30. The method of claim 21 , wherein the security bindings include 
authentication information. 



25 31. The method of claim 29, wherein authentication is specified at a parameter 

level. 



32. The method of claim 20, wherein the security measures include integrity. 



33. The method of claim 21, wherein the security bindings include integrity 
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information. 

34. The method of claim 32, wherein integrity is specified at a parameter 

level. 

35. The method of claim 2 1 , wherein the security bindings include a list of 
addressees or group of addressees included in the security bindings. 

36. The method of claim 20, wherein the step of determining determines 
whether the lifetime of the security measures has expired. 

37. The method of claim 21, wherein the security bindings include information 
regarding the lifetime of the security bindings. 

38. The method of claim 22, wherein the step of determining determines 
whether the communication is between entities in the same network or between entities in 
different networks and requests a security level based on this determination. 
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